Not-for-profit company directors are failing to engage with cybersecurity at their own peril, a report warns.
The Australian Institute of company Directors (AICD) July 2018 Not for Profit Governance and Performance Study found that not enough attention is being paid to cybersecurity by directors, with more than half saying it is not an operational issue or not considered regular board business.
The report says technological illiteracy and fear of jargon is no longer an excuse for ignoring cyber developments, nor does it reduce the obligation of directions to ensure data privacy – especially those holding data that falls under privacy laws.
“Based on the findings from this year’s survey, it is clear that most boards have a long way to go to meet this obligation,” it says.
The report says that during the 1980s and 90s organisations developed disaster recovery plans to protect from accidental data loss. Today, loss of data is more likely to result from an attack than accidental damage, but the same principles should be applied.
It’s up to directors to ensure they have some degree of technical literacy, just like they need financial literacy, to execute their responsibilities.
AICD senior policy advisor Lucas Ryan told delegates at the ACSA National Summit in Sydney that company directors are struggling with cybersecurity even though it is something “everyone is concerned about”.
He said AICD research found 50 per cent of directors did not have cyber security as a focus on their board.
“They don’t talk about cyber security. It doesn’t appear on their agendas. Only 15 per cent said that they actively manage it during the year and a minority feel they have a good understanding of what cybersecrutiy is,” he said.
Cybersecurity should be thought of as an asset management issue rather than a technology issue, he said.
“When we talk about cybersecurity really we’re talking about the way that we manage the risk associated with our technology assets.
“So in responding to cyber security as a governance challenge, I would suggest that the first point of action needs to be developing an understanding of what cyber security is and how you will respond to it as an organisation. When you make a decision that involves technology you need to be able to ask the the same questions you’d ask in any risk management.
“We’d be looking at things like can our data be stolen, can it be lost, can it be damaged and what steps are being taken to protect against that? There should be protocols around access and use in your data the same as access and use of your cash assets.”
AICD reseacher Penny Knight said cyber security needed to be “embedded in the way we think about things. You wouldn’t leave the keys to your car in the ignition, you wouldn’t leave your laptop on a train.”
Meeing the cybersecurity challenge also required a cultural shift, she said, in much the same way OHS had become an overriding element of keeping staff safe over the last two decades.
“We need to get staff engaged to think that it’s their responsibility to protect data in the organisation so its a cultural mission as well,” she said.
Questions for directors
- Is a cybersecurity review on your calendar?
- Do you know your legal obligations in relation to cyber security?
- Are your data assets subject to risk assessment
- Are cybersafety habits common and reinforced across the organization
- Are you regularly investing in your cyber knowledge and skills
You can read the full report here.